Organizations such as True Exposure Investments, Inc. (“TruX”) that collect, use or disclose Personal Information (as defined below) in the course of commercial activities must comply with the obligations set out in Canada’s privacy legislation, the Personal Information Protection and Electronic Documents Act (“PIPEDA”). PIPEDA only applies to information about natural persons. Similar requirements are set out by the Alberta Personal Information Protection Act; the British Columbia Personal Information Protection Act; and the Quebec Act Respecting the Protection of Personal Information in the Private Sector. TruX’s responsibilities also extend to any Personal Information it transfers to a third party for processing.
“Personal Information” is defined as information that identifies an individual and includes, but is not limited to, their name, email, address, age, marital status, race/nationality, financial records, religion or social insurance number. It may also include information on how individuals use TruX’s websites and mobile applications.
Examples of information collected includes:
- Identifiers, which include name, address (business or home), telephone number; email address, fax number, screen name, user ID and password, IP address or MAC address;
- Information relating to Internet activity or other electronic network activity, which includes operating system type and version, web server type and version, PHP version, database type and version, cookie information, device information, browsing activities and platform or mobile application use data, referring domain, destination domain and destination path, performance, security, software configuration, website user statistics and use and viewing activity records and communication preferences;
- Mobile phone number, mobile country code, unique device identifier, mobile advertising identifier (assigned by your mobile platform), information about the screen size of your mobile device(s), the date and time of your device use and other mobile device-related information; and
- Geolocation data, which includes geographic information derived from your IP address or MAC address; latitudinal and longitudinal data.
Other information, including the contents of investor communications with TruX, whether via email, telephone or otherwise, and inferences, may be taken from other personal information collected.
Individuals or service providers who provide Personal Information to TruX are requested to notify TruX as soon as possible of any changes, deletions or corrections to their Personal Information so that TruX may keep such information up-to-date.
Purposes of Collection, Use and Disclosure of Personal Information and Consent
TruX collects and maintains Personal Information about individuals in connection with the offering and sale of its Funds through third-party dealers, investor communications or otherwise as required by law. TruX collects and maintains Personal Information in order to:
- Facilitate the establishment, servicing and administration of investor accounts (such as providing tax receipts; investment fund financial statements and other information that may be requested or needed to service these accounts);
- Execute transactions;
- Protect TruX and investors from error and fraud; and
- Establish TruX’s legal rights or defend against legal claims.
Personal Information collected includes name, address, date of birth and social insurance number. TruX typically collects this information from third-party dealers who distribute TruX’s Funds.
Personal Information shall not be used or disclosed for purposes other than those for which it was collected. TruX may disclose Personal Information to third parties and to TruX affiliates, when necessary and without the consent of an investor, including:
- financial service providers used to finance or facilitate transactions by, or the operations of, a TruX Fund;
- other service providers to a Fund such as accounting, legal or tax preparation services;
- other individuals or entities, when TruX believes that disclosure is necessary to detect, prevent or report suspicious activities, prevent physical harm, financial loss or violations of agreements and policies; and
- regulatory, tax or other government authorities and agencies. TruX will only disclose Personal Information to a governmental entity or other regulatory or self-regulatory organization when required to do so by such laws and regulations, or by court order.
The collection of Personal Information will be limited internally to those functions for which it is necessary for TruX to provide Services and for third-party service providers to be able to provide services to TruX. Before TruX may use Personal Information for a purpose not previously identified, the new purpose shall be identified and consent will be obtained from an investor via the third-party dealer before the information is used for the new purpose (or the Fund Investor may opt-out), unless the use is otherwise required by law.
TruX maintains physical, technological and organizational controls consistent with regulatory standards to safeguard Personal Information in its possession. Reasonable security safeguards have been implemented to help protect Personal Information from loss, misuse, unauthorized access or disclosure. These measures include, but are not limited to:
- Restricted physical and system access controls;
- Safeguards to detect and prevent security system failures;
- Use of secure user authentication protocols for access to records with Personal Information;
- Use of reasonably up-to-date firewall protection and operating system security patches;
- Use of reasonably up-to-date versions of system security agent software including malware protection and virus definitions;
- Reviewing safeguarding controls of service providers who receive Personal Information as part of the provision of TruX Services; and
- TruX Representative training on TruX’s privacy obligations.
TruX remains responsible for Personal Information it has disclosed to third parties and endeavours to protect this information through contractual agreements. TruX does not sell or lease Personal Information to third parties nor does it share Personal Information with third parties for their marketing purposes.
Notwithstanding the aforementioned controls, there remains a residual risk of a breach of security safeguards that could result in a real risk of significant harm. See section “Breaches and Risk of Harm” below for TruX’s reporting and notification procedures to deal with a privacy breach that results in a real risk of significant harm to an individual.
Personal Information will be retained for at least seven years following the end of the relationship (unless there are legal requirements that require its retention) after which all documentation will be destroyed in a manner commensurate with its sensitivity.
Most internet browsers accept cookies by default. Cookies may be blocked by activating the setting on the browser that allows the user to reject all or some cookies. Although a user is not required to accept cookies, if these cookies are blocked or rejected, a user may not have access to all of the features available through the Services.
TruX may use third party analytics such as Google Analytics or other similar analytics services to monitor usage and improve content and functionality. For information on how Google processes and collects your information regarding Google Analytics and how you can opt-out, please see https://tools.google.com/dlpage/gaoptout.
Individual Access to their Personal Information
TruX’s Chief Compliance Officer has been appointed Chief Privacy Officer (“CPO”). The CPO oversees privacy governance including the development of policies, adherence to procedures, training and education, reporting to TruX’s Board of Directors and dispute resolution. The CPO may be contacted in writing if investors wish to:
- access their Personal Information;
- correct their Personal Information;
- withdraw consent to any use and disclosure of their Personal Information (however, this may limit the investor’s opportunity to access TruX’s services or products);
- obtain more information or have concerns; and
- file a complaint relating to how TruX has handled their Personal Information (if an investor is dissatisfied with the results of an investigation of a complaint, they may bring the complaint to the attention of the Office of the Privacy Commissioner of Canada (“OPC”)).
Costs associated with the provision of Personal Information further to an investor’s written request are borne by the investor. Requested information will generally be provided within 30 days of the request being made. TruX’s CPO may be contacted at:
Chief Privacy Officer
True Exposure Investments, Inc.
130 King St. W., Suite 1800
Breaches and Risk of Harm
TruX is subject to reporting and notification obligations in the event a privacy breach occurs that results in a real risk of significant harm to an individual. A privacy breach is the loss of, unauthorized access to or disclosure of Personal Information resulting from a breach of an organization’s security safeguards. A real risk of significant harm includes, but is not limited to, damage to reputation or relationships, identity theft, humiliation or financial loss.
In the event of a privacy breach, TruX will investigate and assess the implications of the breach as soon as feasible. Where TruX has determined the breach creates a real risk of significant harm to an individual, TruX will investigate the matter, report to the OPC and notify affected individuals as soon as feasible, and take remedial measures as applicable.